D-LINK DIR-825: Invalid MAC Address issue and Javascript hack

A few months ago I decided to invest in a new Wireless N router with simultaneous dual-band capabilities. I found the D-Link DIR-825 router to be a good fit for my needs and took a gamble on a somewhat pricey router. So far, the experience has been acceptable, but there is one really annoying issue.

Sometimes, when trying to add an IP Reservation (necessary for port forwarding, etc), the device you are trying to reserve for is not allowed to be added to the list of reserved address. When clicking the “Save” button, you receive a message stating …

Invalid MAC Address

I immediately checked for firmware upgrade via the router’s built-in functionality. At the time, there wasn’t an upgrade available. The message being displayed was clearly a javascript alert and it was appearing without the form being submitted to the HTTP server running on the router. This gave me the idea that they might not be running server-side validation.

One thing that many people don’t know is that you can actually run javascript from the ADDRESS BAR in your browser. That’s right, the place that shows the URL to the page you’re on can actually execute javascript. This also opens doors to really simple hacks to pages so that you can do what you want.

Here is the little piece of hack code that I created to try to work around this issue. I found that they had a function called check_mac that they were testing the return value from to determine if the MAC was valid. I thought if I could just overwrite their javascript function with one that always returns true then I could add whatever I wanted.

javascript:alert(check_mac=function (){return true;});

I wrote up the above little piece of code, copied it in to my browsers’ address bar and hit enter. FireFox was stubborn and didn’t run it on the first try, instead it took me to a search page. I pressed the Back button and tried again. On the second attempt, I received an alert message showing me that my assignment worked!

I then tried saving the IP address reservation entry again and this time it worked! Now to finish storing IP address reservations, you have to click on the Save Settings button. Anxiously I tried that, and what do you know … there was no server-side validation performed. It stored my reservations and everything is working out just fine!

They have since released firmware that fixes this issue, but this is still a neat trick that hopefully readers can find useful. When a webpage just isn’t behaving the way you would like, maybe you can write a little piece of script to help you take better control of the situation yourself.

Thanks for the idea. The script didn’t work in my address bar for some reason, but it inspired me to install Firebug and hack around the check_mac test. I was able to set a breakpoint at the check_mac function, change the first byte of the “temp_mac” mac address to 00, pass the check, restore the byte to the real value and continue… works great!

I’m glad it helped you in figuring out your own solution. It seems that I need to update the article as FireFox has made a change to the security in their browser that prevents this from working in the address bar in it now. There are still other simple options:

* Make a bookmark and specify the javascript code as the URL for it. Then click on the bookmark to execute it.
* Open the developer console (CTRL + Shift + K), paste the code there, and hit enter to run it.

This worked perfectly for me with Opera. Two other completely reasonable workarounds (updating the firmware and changing the saved settings with a text editor) didn’t work for me.
Javascript in the address bar… I had no idea. Well played!